Comment on Air Safety

For an “all or nothing” solution, the option of “nothing” is an unnecessary risk. Yet this option is the preferred choice in the recent action by the Federal Aviation Administration (FAA) to eliminate emergency oxygen from aircraft lavatories. (See Aviation Safety Journal, “Emergency Oxygen Ordered Removed From Lavatories”)

On 10 February 2011 the FAA ordered airlines to render nonfunctional in 6,000 planes’ lavatories the oxygen supply to the “little yellow cups” that ordinarily drop from the overhead in the event of loss of pressurization. The emergency oxygen supply to regular passenger seats will be unaffected.

There is an apparent fear on the part of federal authorities that terrorists could utilize the oxygen generators above the lavatories as a means to accelerate a fire. The oxygen generators stowed above passengers’ heads utilize burning sodium chlorate to produce oxygen, which then travels down a plastic tube to the yellow oxygen mask. The oxygen canister gets hot, so the fear is that an ignited canister could not only ignite nearby flammable materials but also the oxygen produced could worsen the flames.

Exactly how a terrorist in a locked lavatory could get access to a canister stowed in the overhead is not clear. The fact is that rendering the canister “safe” from terrorist use also means the lavatory has no emergency oxygen. A passenger in the “loo” responding to a call of nature has approximately a minute or two to don an oxygen mask before losing consciousness. This is the reason why lavatories were outfitted with emergency oxygen; there is not time to complete one’s “business”, unlock the door, and dash to the little yellow cup dangling over the passenger’s seat. Elderly and infirm passengers with slow mobility may not win the race from the lavatory to their seat, losing consciousness in the lavatory or in the aisle.

A plaintiff’s lawyer will have a straightforward case to plead: my client is brain damaged/dead because there was no emergency oxygen. It will cost the airlines about $1 million to deactivate all lavatory emergency oxygen canisters. The settlement from one deceased passenger could total $10 million or more. The airlines are not being exempted from liability at the same time they have been directed by the FAA to nullify emergency oxygen in the lavatories.

One gets the impression that the FAA has not considered an option which avoids the heat generated by the present canisters while providing a supply of oxygen-enriched air to a passenger caught by a surprise decompression in the lavatory. The steel oxygen canister stuffed with sodium chlorate and other chemicals dates back to at least World War II; the canisters were used for emergency oxygen aboard submarines.

Advances in technology have made possible a new means of providing emergency oxygen: pressure swing adsorption (PSA). Special adsorptive materials, notably zeolites, are used to preferentially adsorb target gasses at high pressure. When the pressure is reduced, the trapped gas is released, or desorbed. Thus, ambient air passed through a PSA device will capture the nitrogen and the output gas will be enriched in oxygen.

Zeolite, whose unigue properties are at the heart of PSA gas separation.

When the capacity to adsorb nitrogen is reached, pressure is reduced and nitrogen is released. Two adsorbent vessels allow for near-continuous production of a target gas.

Schematic of the PSA process. Zeolite is used as a molecular sieve, preferentially adsorbing the target gas at high pressure. When the pressure is reduced, the target gas is released.

This is exactly the process featured in portable oxygen concentrators used by emphysema patients and others who require oxygen enriched air to breathe.

The system operates at near-ambient temperature; in other words the danger of fire is greatly reduced, and the PSA technology is not a flame accelerant. Since the system is electrically powered, it can be turned off in the cockpit, if not by a designated switch then by a circuit breaker. For any person in a locked lavatory suspected of trying to gain access to the PSA oxygen generator, the malign intentions can be foiled by switching the PSA off. In fact, the terrorist could be restrained in the locked lavatory until landing.

Innocent passengers caught in the lavatory during a cabin decompression event would have emergency oxygen, and terrorists would be denied a hot generator emitting oxygen.

This situation is a “best of two” solutions. Replacing the chemical canister with a PSA device is much preferable to the “nothing” adopted by the FAA in a dubious scenario involving terrorists.

Statistics abound on aircraft incidents and accidents, except for “public use” fixed-wing and rotary-wing flying machines. We are left with anecdotal reports, such as the number of accidents in a period of time, but nothing like events per so many flying hours. Without such a denominator, the comparative record of public use operations cannot be usefully compared to the rest of the aviation industry.

This is just another way in which public use operations are an orphan, with no effective oversight by the Federal Aviation Administration (FAA), which has indicated it has “no intention” of changing the state of affairs. Moreover, there are no equivalent statistics maintained by the National Transportation Safety Board (NTSB) on lives lost and mangled aluminum.

Just to refresh memories, public use operations involve contract flights on behalf of federal and local government entities. For example, the “water bombers” flying in support of U.S. Forest Service firefighting efforts are in the unregulated public use category. Another example: helicopters flying for local entities as the Maryland State Police.

If one asks the NTSB for the number of public use accidents, one will get a stack of accident summaries, from which one can glean 17 dead and five accidents since 2007 involving public use aircraft flying for the Forest Service. To be sure, this is an horrific record, reflecting the price paid by the FAA’s hands-off attitude.

How this toll compares to the other main sectors of aviation remains unknown. What is needed for the public use category is an accident rate per 100,000 flight hours and/or per 1,000,000 miles flown.

Review the NTSB statistics (www.ntsb.gov/aviation/stats.htm). The searcher will look in vain for any information regarding the public use category. Yet there are ample, detailed statistics on every other category of aviation, presented in the 12 tables.

For Part 121, scheduled airlines: data as far back as 1990 on the number of accidents, fatalities, accidents per 100,000 departures, per 100,000 flight hours, per 1,000,000 miles flown, and more.

For Part 135, non-scheduled air taxi and on demand operations, less detailed information but still accidents per 100,000 flight hours.

For Part 91, general aviation, a real eye-opener on the mayhem in this category – such as 1,474 accidents in 2009 (the most recent year data is presented) with 474 people aboard killed. There is an average of 1.3 deaths a day in general aviation. More importantly, there is data on the accidents per 100,000 flight hours.

Hence, useful comparisons between Part 121, Part 135 and Part 91 flying are easily made:

For public use operations? Nothing. No table. No data. No comparisons possible. I am willing to bet that public use operations have an accident rate somewhere above that of Part 135 and below that of Part 91. For instance, the “water bombers” flying for the Forest Service are generally being flown in old, converted military airplanes, with sketchy maintenance records and a substantial amount of metal fatigue and corrosion. These firefighting aircraft are operating in areas of high turbulence (updrafts from fires), which puts a strain on their structure (wings have been breaking off). Flying at low altitude in these conditions is not as safe as an airliner benignly cruising at 30,000 feet, but how much less safe has firefighting flying been? Statistically, we have no idea.

One cannot make policy decisions without good data. One cannot focus regulatory resources in the absence of data.

Senior FAA officials proclaim that their priorities will be “data driven.” In the absence of data about public use operations, it is not surprising that the agency ascribes a non-priority to oversight of public use aircraft and helicopter operations.

All operators of public use aircraft maintain records of flying hours per machine. The information is necessary because many maintenance actions are linked to accumulated flying hours.

The NTSB can provide the accident data, as reporting of even less-than-fatal accidents is required.

The hours flown divided by the number of accidents can be used to derive the rate per 100,000 flying hours. This information can be displayed on another line in the table above for public use. My wager is that public use operations will have a fatal accident rate 10 times greater than for scheduled airline operations. Is this an acceptable rate for the FAA to continue its regulatory neglect? Or would such a tenfold rate galvanize FAA officials into adopting the public use orphan now sitting on the curb, ignored by the government as a no-data non-entity?

In its latest assessment on the safety of air travel, the International Air Transport Association (IATA), a lobby group representing more than 230 airlines globally, proclaimed flying is so safe that if one were to take an airline flight every day it would be approximately 4,400 years before one would be involved in a fatal accident. (See Aviation Safety Journal, “Accident Trend Data Show Improved Safety Still Needed”)

Believing the above statement, flying then is much safer than open-heart surgery. If one were to undergo coronary surgery on a daily basis (with no complications from the previous day’s procedure), one would die on the operating table in less than one year.

The risk of open heart surgery is much greater than that of flying, but this is not as valid as comparing flying to other modes of transportation

Both in terms of time between accidents and operating room risks, these measures of air safety are misleading. The former misleads by racking up a hugely convenient denominator; the latter by comparing a perfectly healthy airline passenger to a patient with severe heart disease.

Safety across all modes of transportation is usually measured by the fatality rate per billion miles travelled. By this measure, airplanes do not score nearly as well as trains:

The comparison between airliners and passenger trains is apt because both represent very public forms of transportation, with government oversight and licensed crews. Comparing the safety of airline travel to automobile travel is really mixing the proverbial oranges and apples. Automobile travel is private, with varying degrees of driver alertness and competence and with highly variable maintenance of the vehicle (ranging from rigorous fanaticism on the part of some car owners to others not knowing what the amber “check engine” light on the dashboard signifies).

A train derailment, even at high speed, may be less catastrophic in terms of lives lost than an airplane crash from 30,000 feet, which usually ends with crumpled aluminum and bodies “commingled” – in the euphemistic phrase employed by accident investigators – with the wreckage.

Air crashes involve mass death that unnerves the public, as in the case of the 228 killed in the 2009 loss of Air France flight 447

The train travel statistic cited above is for all trains, globally. If high speed trains are singled out – Japan’s “Bullet” trains or France’s TGV – the air/train comparison is even more appropriate. High speed trains operate at roughly the same takeoff and landing speeds of airliners. In this respect, high speed trains are eight times safer, per miles travelled, than planes. Japan’s “Bullet” trains have operated since the early 1970’s without a single fatality (not counting the occasional despondent who commits suicide by throwing himself in front of a hurtling train). Similarly, France’s TGV, operating on special, fenced-off tracks, has never had a fatal accident.

High speed trains, like Germany's Intercity Express (ICE), are much safer than airliners

Decades pass between accidents involving high-speed trains. If the aviation industry passes a year without a fatal accident, that is cause for self-congratulatory rhetoric about how the “enhanced commitment” to safety is paying off. In truth, a year’s gap between air crashes remains an anomaly worthy of mention.

The 2006 midair collision between a GOL 737 (shown here) and a business jet killed all 157 on the airliner. The accident reflects the positive and negative aspects of technology. Improved navigation accuracy meant the two airplanes, flying in opposite directions, could operate much closer together on aerial 'highways'. But the collision alert transponder on the business jet inadvertently was switched off, making an accident more likely

The hard fact of the matter is that there has not been a step-increase in air safety since the advent of the gas turbine powerplant.

High speed trains are now approaching planes in the amount of power at their disposal. For example, the Acela Express train, operating in the Northeast Corridor of the U.S., features a locomotive at each end of a six-car articulated train set. The two locomotives provide over 12,000 combined horsepower – a lot for six passenger cars but necessary for quick acceleration and for maintaining high continuous speeds.

Comparing the horsepower of Acela’s electric motors to pounds of thrust in a jet turbine is slightly problematic, but 1 hp equates to approximately 75-110 pounds of thrust. The Acela musters close to the horsepower of a B747 jumbo jet, depending on the particular model jet engine selected. It should also be mentioned that modern jets feature a large amount of electric generation capacity to power ever more flight systems.

The Acela is a variant of France’s TGV high-speed train and has yet to experience a fatal wreck.

Accounting for the variability of weather, traffic, and other unique features of air travel, it would seem reasonable to establish a goal of, perhaps, one fatality per billion miles of airline flying. The rate of 1.0 is less than the current rate of 0.5 for all forms of train travel, and it makes much more sense than comparing today’s crash rate to that of yesterday’s. By this measure, even open heart surgery is safer today, as is just about everything else.

Current aviation statistics are clouded by big and misleading numbers (sometimes expressed in even more confusing powers of ten, as in 1 x 10-9). Comparing safety across modes of transportation is the only way to objectively and meaningfully quantify the risk of air travel.

Almost 100 jets were grounded to accomplish required safety checks, raising serious questions about federal oversight of the airline that was at least eight months late doing the work.

On 15 February United Airlines announced that it was grounding 96 of its B757s to check and validate software and hardware changes for the airplane’s air data computer systems.

UAL B757-200

“We apologize for any inconvenience and ask customers to check their flights status … before going to the airport,” said United spokeswoman Megan McCarthy. The work reportedly will take 12-24 hours to complete, so the airplanes should be returned to service as of this writing.

According to media reports, during a routine maintenance check, United discovered that it had not followed all the steps required in an airworthiness directive (AD) issued by the Federal Aviation Administration (FAA) in 2004.

End of story? Not a big problem? Hardly. Rather than soothing reports of how well United did getting these grounded aircraft back on the flight schedule, the story should have been of the utter failures demonstrated here and the lack of assurances that this latest problem isn’t part of a systemic FAA absence of oversight.

The AD in question (AD 2004-10-15) was published in the Federal Register in May 2004. Extracts below set forth the work to be done and the reasons therefore:

“This [AD] requires a modification of the air data computer (ADC) system, which involves installing certain new circuit breakers, relays, and related components, and making various wiring changes in and between the flight deck and main equipment center …

“This action is necessary to ensure that the flightcrew is able to silence an erroneous overspeed or stall aural warning. A persistent erroneous warning could confuse and distract the flightcrew and lead to an increase in the flightcrew’s workload. Such a situation could lead the flightcrew to act on hazardously misleading information, which could result in loss of control of the airplane …

“For Model 757-200 … airplanes: Install a circuit breaker and replace an existing lightplate assembly with a new, improved lightplate assembly in the flight compartment; install two relays and remove a certain relay in the main equipment center; make various wiring changes in the flight compartment and main equipment center; and perform tests of the flight data acquisition unit, flight data recorder system, and stall and overspeed warnings.”

The work was required within 6 years of the AD’s effective date of June 22, 2004. United had performed the hardware changes within that period, but failed to perform the functionality tests, hence the grounding for the required tests.

The period of non-compliance with the AD appears to be from June 2010 to February 2011.

United’s public announcement of the belatedly required checks may be an attempt to forestall a civil penalty of millions of dollars, since the out-of-compliance fine is based on the number of airplanes times the number of flights made in a noncompliant condition. Recall that in October 2009 the FAA proposed a $3.8 million fine against United for flying a B737 over 200 flights with shop towels, rather than protective caps, covering openings in the oil sump on the right-side engine. Recall, also, the $24.2 million fine proposed against American Airlines in August 2010 for failing to follow an AD affecting 286 MD-80 twinjets.

One has to ask why the full AD compliance was not tracked in a timely manner by United. After all, software for alerting when data (invoices) becomes “past due” is available at all office supply stores.

And where was the FAA principal maintenance inspector (PMI) in this fiasco? If he didn’t notice the noncompliant aircraft, then where were the assigned certificate management folks assigned by the FAA to oversee United’s operating certificate (which includes AD compliance in support of that operating certificate). Lastly, if oversight at these field levels was lacking, where was the FAA’s Washington DC headquarters in all of this?

Pertinent questions go well beyond feel-good statements.

Every month that this AD went beyond compliance is not just an indictment of United’s programs for continuing safety analysis accepted by the FAA, but also of the FAA’s entire oversight program – from the PMI to Washington headquarters.

For almost a quarter million dollars, the taxpayers of this country and the Secretary of Transportation sure didn’t get much for the money. In fact, what they got is another toothless study which will lie moldering on the shelves.

I am referring to the latest “work” of the Future of Aviation Advisory Committee (FAAC). On 9 December 2010 the FAAC presented 23 recommendations to Transportation Secretary Ray LaHood on how to ensure the strength and safety of aviation. The wording of recommendation #23 is enough to give a flavor of the FAAC’s effort:

“The Secretary [of Transportation] should:

1. Utilize the full resources of his office to continuously educate the flying public about the dangers of flying with lap children.

2. Update the economic and safety data concerning families travelling with small children, including incidents and accidents involving injuries and deaths [and]

3. Based on the information provided by these finding, the Secretary should take necessary action, which may include a rule-making or other appropriate next steps.”

The giveaway words here are “may include a rule-making.” As written, it is just as likely the Secretary of Transportation will cave in to airline industry pressure and may not institute rule-making. The words “or other appropriate next steps” are imprecise and just guarantee that the whole subject of lap children will be dragged to oblivion.

The 2010 FAAC meets in Washington DC

If the FAAC had looked at the issue in any depth, free of airline industry influence, it could have recommended something useful:

“Given the inherent dangers of unrestrained lap children, the Secretary should institute rulemaking within three months, with the intent of ending this hazardous practice within 18 months of publishing the Notice of Proposed Rulemaking (NPRM).”

A recommendation along this line, with specified deadlines, would have been worth something – maybe even a quarter million dollars given the statistical value of a life. But the FAAC is comprised of academics, airline executives and others who completely outweigh representatives such as the president of the Association of Flight Attendants (AFA), who gave an impassioned plea for action to curtail the practice of lap children. (See Aviation Safety Journal, “Advisory Group Punts on ‘Lap Children’ in Airliners”)

Secretary LaHood waxed appreciation for the FAAC’s report, lauding the committee’s “valuable service” providing a “blueprint” for the industry. Some blueprint; more like a glossing over of key problems.

For this, the Department of Transportation (DOT) paid $220,775 for travel and miscellaneous expenses; basically, a quarter million dollars for five FAAC meetings.

The members are not paid, but appointment to the committee allows members to shape the debate.

Here’s a breakdown of 2010 FAAC costs:

$145,308 Drafting and recording the minutes of all meetings, and drafting support for each of the subcommittee reports.

Given that a FAAC is appointed yearly, the expenses over time would clearly run to the millions of dollars. Not once has the Secretary of Transportation convened a press conference to announce: “Based on the recommendations of the FAAC, I am today taking action to end the practice of carrying lap children when laptop computers and coffee pots must be secured for takeoff, landing and in-flight turbulence.”

The FAAC is testament to the Washington habit of visiting a problem, not solving it. The FAAC could disappear and aviation would not be one whit less safe, much less materially safer.

For the pretense of progress, look no further than the recommendations submitted by an advisory committee and breathlessly endorsed by the Secretary of Transportation. Really, we could eliminate the committee and save tens of thousands, if not hundreds of thousands, of taxpayer dollars.

On 9 December 2010 the Future of Aviation Advisory Committee (FAAC) presented 23 recommendations to Transportation Secretary Ray LaHood on how to ensure the strength, competitiveness and safety of aviation. The committee’s 19 members came from airlines, airports, manufacturers, labor, academia and general aviation stakeholders. With members like Glenn Tilton, president and CEO of United Airlines, the line-up was a guarantee for conventional, status quo thinking. This was evident in the FAAC’s recommendations on “lap children” aboard airliners, in which the committee recommended more “education” of the flying public about the dangers of flying with lap children. The committee could have called for regulatory action to end the practice of “lap children” and properly restraining them in their own seats. (See Aviation Safety Journal, “Advisory Group Punts on ‘Lap Children’ in Airliners”)

LaHood waxed appreciation for the FAAC’s report, saying, “This committee has provided a valuable service to all members of the aviation community with this blueprint for the industry.” But did LaHood carefully review the FAAC’s recommendations? Apparently not, because in the next breath he said, “I look forward to thoroughly reviewing the recommendations.”

We will save him the time, focusing on the FAAC’s specific safety recommendations (other than lap children restraints discussed in elsewhere in this publication):

Item: “Delivering the benefits of NextGen. The Secretary should fully endorse and focus on ensuring that FAA delivers the operational capabilities, procedures, and approvals necessary for operators to realize the benefits from the NextGen air traffic control system as quickly as possible..” The discussion goes on for more than a page in this vein, with not one word about the improved safety the system is supposedly going to provide.

Comment: NextGen rests on the capabilities of ADS-B (automatic dependent surveillance, broadcast) to cram more airplanes into the nation’s crowded skies and airports. The system is automatic in the sense that airplane avionics do not have to be queried by radar. Rather, the system on the aircraft relies on navigation signals from global positioning system (GPS) satellites in space, and other on-board avionics, to automatically generate key elements of the airplane’s location, altitude, speed, and so forth.

It is dependent, in the sense that ground stations rely on the aircraft to reliably broadcast its navigation solution and other identifying parameters. Many of these factors, such as the aircraft’s horizontal (i.e., lateral/longitudinal) position have heretofore been determined by ground radar.

The term surveillance refers to the need for ground control to know where airplanes are in relation to each other.

The term broadcast refers to the airplane’s new role in providing this information, making the airplane a much more active – as opposed to traditionally passive – participant in the air traffic “solution,” as it were.

“ADS-B Out” refers to transmissions from the aircraft to air traffic control to enable aircraft to be spaced closer together in the air routes. But “ADS-B In” would enable an ADS-B equipped aircraft to receive information from other aircraft and from the airport. This “ADS-B In” capability is not being required. Thus, operators have until 2020 to equip their aircraft with “ADS-B Out” but “ADS-B In” will be addressed in separate rulemaking.

Nor has the FAA appear to have addressed the vulnerability of ADS-B to jamming of the GPS signals. It has been demonstrated that a 1-watt jammer will block GPS signals for many miles around an airport, disrupting ADS-B’s central role in descent and landing under the NextGen concept.

There are stacks of reports issued by the Government Accountability Office (GAO) and the Department of Transportation Inspector General (DOT/IG) indicating that NextGen is in trouble. Here are just four comments:

GAO, November 2010: “FAA has yet to make many key decisions reqired to shape and determine the future direction of NextGen.”

GAO, July 2010: “Without specific goals and metrics for the performance of NextGen as a whole … it is not clear whether NextGen technologies, systems, and capabilities will achieve desired outcomes and be completed within the planned time frames.”

DOT/IG, April 2010: “Key multibillion dollar programs have experienced problems, and the FAA has yet to fully determine their NextGen-specific requirements.”

DOT/IG, March 2009: “To highlight trnsition issues and establish requirements, FAA must complete its ongoing ‘gap analysis’ of the current and vastly different NextGen systems and refine the NextGen mid-term architecture.”

This is a program in mounting technical difficulty, with plenty of potential for cost overruns and performance deficiencies. The FAAC limited itself to generalized fretting, along the lines of “fully leveraging … ADS-B” and “the Secretary should require the FAA to develop and commit to a timetable when requirements will be set …”

One gets the impression that the FAAC was not even aware of the absence of “ADS-B In” during initial implementation, or the vulnerability of building the whole NextGen edifice on GPS signals that are easily jammed.

The safety improvements the NextGen is hoped to bring, in terms of incidents or accidents avoided, has yet to receive even token discussion.

Item: “Legal Protection of Voluntary Safety Data and Information. The Secretary of Transportation should seek comprehensive legal protections for voluntary and mandated safety data programs and information to ensure their continued benefits to safety … the development, analysis, documentation and availability of shared safety information will be inhibited if there is potential that it may be used for other purposes such as out-of-context exposure through the media, admissions in criminal or administrative prosecution, or use in civil litigation.”

Discussion: It is a classic industry ploy to decry “out-of-context exposure through the media” when in truth the agenda here is to keep embarrassing information out of the newspapers and TV news. It should be noted that Aviation Safety Action Program (ASAP) reports are fully available to outside sources and there has never been a concerted industry complaint that media exposure took things “out of context.”

Recall the FAA argument on reporting bird strikes:

“The agency is concerned that there is a serious potential that information related to bird strikes will not be submitted because of fear that disclosure of raw data could unfairly cast unfounded aspersions on the submitter… [and] The complexity of the information warrants care with its interpretation; releasing this information without benefit of proper analysis would not only produce an inaccurate perception of the individual airports and airlines but also inaccurate and inappropriate comparisons between airports/airlines.”

Secretary LaHood overrode these concerns and ordered that bird strike data be made publicly available. These same tired arguments are being raised again about safety programs, and LaHood’s response – contrary to the FAAC views – should be the same as it was for bird strike data.

Moreover, if the FAA were to mandate programs such as Safety Management Systems, rather than encourage their voluntary adoption, and let the results speak for themselves, the public would get a better appreciation for the industry’s commitment to safety.

Item: “Predictive Analytic Capabilities for Safety Data and Information. Beginning with the FY2012 budget for the FAA, the Secretary should provide focus, priority, and resources to develop improved tools and methods in order to provide a robust aviation system predictive safety risk discovery capability.”

Discussion: Such a program has already been developed and was actively suppressed by the FAA and the aviation industry. In 2007, under the imprimatur of the National Aeronautics and Space Administration (NASA), a program was developed known as the National Aviation Operational Monitoring Service (NAOMS). It was an innovative attempt to identify emerging risks through structured interviews of pilots, air traffic controllers, flight attendants and mechanics.

NASA was criticized by the FAA and industry for releasing the data, which contained a far greater number of incidents of safety problems than reported elsewhere. For example:

2,339 incidents where Air Traffic Control refused pilot requests to alter course due to severe weather.

Over 4,000 occasions where reserve fuel was required to remain flying.

Industry representatives claimed they already have the ASRS (Aviation Safety Reporting System) reports, and therefore NAOMS was not necessary. But ASRS features only reports submitted and is not a valid measure of system safety or system wide problems.

NAOMS provided just the type of “forward-looking analytical capabilities” called for by FAAC, as it uncovered safety threats that had not yet culminated in an accident. But it died prematurely because its data discomfited the FAA and the aviation industry.

The FAAC obviously did not even look at the NAOMS effort and how it would provide useful information on emerging threats to air safety.

Item: “Expanding Sources of Voluntary Safety Data. The Secretary and the FAA Administrator, working with aviation system partners and other industry and government advisory committees, should identify potential new and valuable sources of safety data, and establish criteria for when/how those sources would begin to be included.”

Discussion: See remarks above concerning the stillborn NAOMS project. The FAA also has the Service Difficulty Report (SDR) database, but reporting under this required program varies by airline, from non-compliance (0%) to full compliance (100%). Moreover, SDR reports are only required of problems in flight, not on the ground. The industry has resisted FAA efforts to expand SDR reporting to include ground events, rendering the entire SDR database rather arbitrary.

Before going out and reinventing the wheel, the existing problems with SDR reporting should be cleaned up and promising programs like NAOMS should be exploited.

Item: “Identification of Safety Priorities. The Secretary should quickly review the existing regulatory and safety initiative calendar [and] provide parameters and criteria or the FAA to prioritize its current and future rulemaking program. This review should include industry, or at a minimum seek industry input, and the results should be made publicly available … A fresh identification of priorities is needed to ensure that safety priorities are, in fact, driven by data and information and that there is an overarching sense that the government and industry are focused on the right issues first.”

Discussion: Note the admonition that the FAA should seek industry participation. One might point out that the FAA is a regulatory body providing oversight. Industry participation may lead to obfuscation and delay of efforts deemed discomfiting to the status quo.

A listing of data-driven priorities already exists. It’s the “Most Wanted” safety recommendations published annually by the National Transportation Safety Board (NTSB). It’s definitely data-driven, in that its safety recommendations come out of accidents. It is also an urgent list that is “slow rolled” by the FAA; the “Most Wanted” recommendations are either ignored by the FAA, rejected outright or implemented half-heatedly and belatedly.

The FAA does not need a “fresh identification” of priorities; the “Most Wanted” list is the considered opinion of the NTSB based on accident investigation. The recommendations are written in blood; what additional incentive does the FAA need?

Imagine a classroom of students taking a quiz. One student has been designated to collect the completed work and deliver it a distance of several blocks distant to the teacher. The student courier is highly tempted to take a peek at the students’ work. This is an approximation of the procedure by which flight recorders are removed and shipped from aircraft involved in incidents. In this case, the recorder was downloaded in whole or in part at the airline’s maintenance facility instead of being shipped unmolested to the Washington DC headquarters of the National Transportation Safety Board (NTSB).

On 28 December an American Airlines B757 overran the snowy runway at Jackson Hole, WY by some 350 feet. None of the 181 persons aboard was injured; neither spoilers nor thrust reversers deployed promptly.

An American B757 of the type involved in the overrun

The immediate problem in the Wyoming incident is that neither NTSB nor Federal Aviation Administration (FAA) officials were present to supervise removal of the flight recorders. This task was left to the airline, which then flew the recorders to its maintenance base at Tulsa, OK. While there, a portion of the flight recorder data (FDR) or the entire 2-hours was downloaded for company use. The recorder was then shipped to the NTSB laboratory in Washington.

According to knowledgeable sources, this is not the first time that the carrier has downloaded recorder information while entrusted to ship them – without interference – directly to the NTSB.

As a result of its ill-advised actions, American Airlines has been removed from party status, which basically means it has been barred from participating in the investigation.

The penalty seems to be the equivalent of a hand-slap.

NTSB Chairman Deborah Hersman said in a statement that the download was “a breach of protocol” that violates standards for any organization that is allowed to participate in a Board investigation.

Adherence to standards is “vital to the integrity of our investigative processes,” she said.

American Airlines spokeswoman Mary Fagan said in a statement that the airline downloaded information from the FDR “as part of its normal safety investigation of the incident.” There was no attempt to circumvent the collaborative process with the NTSB, she added. These glib excuses suggest that American Airlines sees nothing wrong with its actions and, indeed, may have engaged in similar downloading previously.

Information from the cockpit voice recorder (CVR) was not downloaded, raising questions about the carrier’s motives for accessing only the FDR.

"Do not open" implies to the airline "do not download"

Given the history of airline and manufacturer denial of key information, obfuscation of facts, and selective memory, one could question the NTSB assertion that the process has worked jut fine for 40 years.

In the Wyoming overrun case, a number of questions were posed to the NTSB; some of the answers point to numerous holes in their investigative process:

Question: Who removed the recorders from the overrun airplane and when?

Answer: The NTSB asked American Airlines to have their personnel remove the recorders from the aircraft and transport them to the NTSB recorder lab in Washington, DC, in accordance with normal party procedures. The recorders were removed from the aircraft the same day as the incident.

Q: Why were these recorders not transported via the NTSB chain of command instead of by American Airlines?

A: The NTSB investigates most accidents using the party system. In this case, the NTSB initiated a formal incident investigation and designated American Airlines as a party to the investigation and requested that they ship the recorders to NTSB HQ in the most expeditious manner. As the operator, American is required to preserve all data surrounding the incident until the Board takes custody in accordance 49 CFR 830.10 [Title 49, Transportation, Code of Federal Regulations, paragraphs dealing with Preservation of aircraft wreckage, mail, cargo, and records].

For major accidents on which an NTSB Go Team launches, the NTSB or our designee takes custody of the recorders at the site and the recorders are flown to Washington, usually via the FAA airplane that transported the NTSB investigative team to the site. For incidents, where there is no FAA or NTSB employee on scene and there is not likely to be for several hours, we may have the carrier remove the recorders and send them to us by the most expeditious means possible.

Q: Were these recorders in a locked steel container for shipment? If so, how did American Airlines access the recorder?

A: The recorders were shipped in appropriate shipping containers specifically designed for each recorder.

Q: In civil jurisprudence, evidence tampering is a crime. What do your lawyers and administrative law judges propose in the way of sanctions – for this or future cases – that have more bite than removal of party status?

A: The sole objective of an NTSB investigation of an accident or incident is for the prevention of accidents and incidents. It is not the purpose of this activity to apportion blame or liability (§ 831.4 Nature of Investigation). The “party system” utilized by the NTSB to investigate accidents has been in use for decades, primarily because it is the most effective investigatory process for major transportation accidents and incidents.

Guidance provided to parties for their participation in an NTSB investigation notes that parties and party participants must be responsive to the direction of NTSB personnel and may lose party status if they conduct themselves in a manner prejudicial to the investigation or do not comply with NTSB instructions.

In this situation, we have determined that the revocation of American’s party status was the appropriate course of action. We also believe that this will send a clear message to the aviation community that such breaches of protocol are not acceptable. There are certain circumstances in which actions by an individual or entity, including a party, that interfere with or impede the Board’s investigation can rise to the level of a criminal offense. The Board may turn those matters over to federal prosecutorial authorities as the Board deems appropriate.

Q: If the NTSB does not have a regulation that says, in effect, “NO REPRESENTATIVE OTHER THAN THE NTSB WILL BE ALLOWED TO HANDLE, STORE AND/OR TRANSPORT FLIGHT RECORDERS” is such a proviso now contemplated?

A: In accordance with 49 CFR 830.10, the operator of an aircraft involved in an accident or incident must preserve “all recording mediums of flight, maintenance, and voice recorders pertaining to the operation and maintenance of the aircraft” until the Board “takes custody thereof or a release is granted ….” The NTSB took custody of the recorders when they arrived at DCA and, until that point, the party was responsible for preserving them in the condition they were upon removal.

As referenced above, there are provisions already in place that address interference with an NTSB aircraft accident investigation. We provide clear and unambiguous instructions to the carrier on the protocols for handling the recorders and transporting them to us. As noted in response to the previous question, all parties are instructed that they may lose party status for failure to comply with NTSB instructions.

Based on these responses, a number of thoughts occur:

The airplane could have been parked, unmolested, until an NTSB official arrived on-scene to supervise/witness recorder removal. It makes absolutely no sense that an FAA employee from Casper, WY, or elsewhere could not be at the incident site sooner than it took to assemble a group of American Airlines mechanics and fly them in a chartered corporate jet from Tulsa to Jackson Hole.

And having this team retrieve, unsupervised, the flight recorder, was more expedient for the NTSB? Safety and sanctity of the FDR data should take precedence over expedience any day.

In its answers, the NTSB included this sentence: “The airline is instructed to transport the recorders without delay and without accessing the information contained within them by any means.” Where or when was this instruction given to American Airlines? §49 CFR 830.10 is silent on the matter.

The recorders should have been placed in a steel tamper-proof lockbox at the scene for shipment to Washington DC. If necessary, the steel box can be shipped via overnight, registered express. One doubts that shipment by the concerned airline is appropriate or faster.

The NTSB says “most accidents” are investigated by the party system, suggesting that not all inquiries involve parties. The question is why ANY investigation should involve parties and their resultant privileged position. Some other accident investigation bodies internationally do not utilize the party system, and their accident reports do not seem to be hampered in the least.

The Board should “take custody” of recorders at the incident site, not when the recorders are received in Washington DC. Different procedures for incidents and accidents are nonsensical; the difference between an accident and an incident is a few feet or a few seconds timing.

Custody by “our designee” suggests that said designee could be the airline involved – which compromises the NTSB’s role as an independent investigator.

What is the point of evidence collection through party members who may tamper with that evidence? The NTSB seems mighty trusting. Note the NTSB says the recorders were shipped in “appropriate” containers, sidestepping the issue of whether they were locked and bonded to deny access to all but the NTSB.

The claim that the party system in use for decades works well is belied by controversy. In the early 2000s, then-Chairman Jim Hall was extremely dismayed to find that Boeing had withheld from the Board key information about B747 fuel tank inerting. Filling the void space in the fuel tank with inert gas is the process of insuring that the tank is explosion-proof. Had this information been available, it certainly may have influenced the Safety Board’s recommendations coming out of the investigation into the fuel tank explosion that downed TWA flight 800 and involved a B747. The FAA, also a party to the TWA 800 investigation, failed to disclose to the NTSB that it had successfully test-flown a fuel tank inerting system at its technical center in the late 1970s.

Another point to be made is that 40 years ago the technology allowed for recording only minimal data about flight performance. Today, much more raw data is available through flight recorders, enabling precise reconstruction of an event. The volume of data available today means it is a more valuable resource, requiring enhanced procedures to secure and transport the recorders to the NTSB.

The NTSB says it “may” turn over to Federal prosecutors cases involving blatant abuse of the party system. There is no record in recent years of the NTSB ever having done so. One thinks this would have a marvelously clarifying effect on any party to an NTSB investigation.

While 49 CFR 830.10 requires operators to turn over all recording mediums to the NTSB, the regulation is silent on the matter of unauthorized downloading of the data.

In the NTSB’s convoluted and self-justifying responses, the whole issue of when custody should be assumed is given short shrift. The NTSB, not the party, should supervise removal of flight recorders (or retrieval from the wreckage, as the case may be), ensure that recorders are placed in an NTSB-locked tamper-proof container, and shipped to the NTSB laboratory in such a manner as chain of custody is maintained by the NTSB and not by a party to the investigation.

It seems the NTSB should adopt protocols by which a recorder may not be removed from any aircraft involved in an accident or incident while engaged in a Part 121 (scheduled) or Part 135 (air taxi) operation without an NTSB and/or FAA representative with authority present. The only exception would be if the recorder is in imminent danger of being further damaged if not removed promptly.

If the NTSB does not have the resources to guarantee this process, it should request them from Congress. Nothing less than the NTSB’s independence is at stake.

For the first offense of party malfeasance, no less than a fine in the six figure range is appropriate, with a second offense within five years increasing the penalty to the seven-figure rage. For the third offense, losing of the operator’s license should be considered. Similarly, any party that opens and/or downloads information from the flight recorders should face a heavy fine and possible operating license suspension.

In this case, the NTSB was not even at the scene when American Airliners had a team of technicians and maintainers from that charter flight going over every possible procedural, mechanical and electronic component that may have contributed to the overrun. The circuit breaker was pulled to ensure that the recorder information was not corrupted, but the airplane itself should have remained where it was until an NTSB official arrived to take charge.

One does not take custody of critical evidence a few miles from NTSB headquarters, and from the airline involved, while insisting the loosey-goosey collaboration has “worked” for 40 years.

Think about this: safety deficiencies have already been identified, but the Federal Aviation Administration (FAA) is dribbling out corrections in penny-packets. Not only does the practice put aircraft occupants at risk, it creates a nightmare for maintenance personnel.

Recall that after the fuel tank explosion that downed TWA flight 800 in 1996, the aviation industry was challenged to go back and look at its design practices for fuel systems and associated electrical components thereof, and come up with recommended fixes.

Since aircraft fuel systems already met the certification regulations, one would think there would be maybe a couple dozen items across all transport category aircraft that would need retroactive correction. Not so. Based on the FAA’s 2001 order, known as Special Federal Aviation Regulation (SFAR) 88, titled “Fuel Tank System Fault Tolerance Evaluation Requirements,” aircraft manufacturers were told to review their fuel system designs and recommend correction, by aircraft model, by component, to reduce the possibility of an ignition source igniting an explosion of fuel-air vapors.

Hundreds of potential safety hazards were identified. The FAA has been issuing airworthiness directives (ADs) ever since, ordering operators to correct problems. The most recent as the 1 October proposed AD addressing Airbus A330 and A340 passenger jets:

“Failure of the auxiliary power unit bleed leak detection system could result in overheat of the fuel tank located in the horizontal stabilizer and ignition of the fuel vapors in that tank, which could result in a fuel tank explosion and consequent loss of the airplane. The proposed AD would require actions that are intended to address the unsafe conditions …”

The FAA says this is one of 11 proposed ADs and 233 final ADs issued since the SFAR 88 design reviews were completed. They have been issued singly, or in small batches of three or four ADs. In addition, 26 additional fuel tank safety ADs have been issued addressing potential ignition sources discovered after the completion of the SFAR 88 reviews.

That’s 270 ADs all told. They’ve been published quietly from 2003 forward. How an airline maintenance operation is to keep track of and coordinate the necessary work is not the FAA’s problem. Meeting the varying compliance times, assuring parts and labor, is not the FAA’s concern. To the agency, issuance of the ADs “solves” the safety problem.

The total cost to the industry of the various fixes remains unknown. To appreciate the overall price in terms of labor, materials, aircraft down time, lost revenue, etc., would entail going through each and every AD.

Since the overwhelming majority of risks were identified through the SFAR 88 process, it would seem better, from a safety and scheduling standpoint, to issue as many ADs as possible at one time, together. Airline maintenance personnel would then see the scope of work involved and could incorporate the activity at the next overhaul period.

With more than 200 deficiencies corrected at one time, the safety of passengers and aircrews would be materially enhanced sooner.

Nor have the last of the ADs been published. The FAA expects to issue 40 more SFAR 88 related ADs. In other words, hazards already identified on airplanes carrying thousands of passengers a day. That’ a total of 310 fuel system safety corrective actions.

The last AD will be published in 2011. Why wait? If the deficiency is known, publish the AD now.

Thus, the ADs will have been promulgated over an eight year period, 2003-2011. The last AD will be issued some 15 years after TWA 800 blew up. Given the time allowed to correct each condition identified by AD, it will be at least 2016 before the final fixes are implemented.

If all corrections known in 2003 were implemented over the same five or six year deadline, safety would have been immeasurably increased by now, not by 2011 or by 2016.

Reports of smoke filling the cabin of Boeing’s new B787 Dreamliner on a test flight, forcing an emergency landing and deployment of the inflatable slides to speed evacuation, raise a pertinent question: is the flying public going to be as vulnerable in the next 40 years as it has been in the past to smoke and fire? (See Aviation Safety Journal, “Boeing’s New B787 Suffers Electrical Fire in Flight”)

The B787 incident has parallels to an electrically induced fire that occurred on a United Airlines B777 at London’s Heathrow airport in February 2007. Good thing British investigators were on the case. United filed a service difficulty report (SDR) that indicated only “smoke,” not “fire,” so there was no reason for the Federal Aviation Administration (FAA) to press further. As for the U.S. National Transportation Safety Board (NTSB), its accident/incident database characterized the event as “fire” but no further information was given.

The case was duly and glibly passed to the U.K.’s Air Accidents Investigation Branch (AAIB). The AAIB, fortunately, was on the scene and produced a thorough and juicily detailed investigation in February 2009. The AAIB noted, “The electrical power system is designed to isolate a fault or failed device selectively while minimizing power interruption to a functioning system.” Then it went on to describe how the protections utterly failed to prevent a fierce and fiery conflagration:

— An internal failure of the Right Generator Circuit Breaker or Right Bus Tie Breaker contactor on the P200 power panel inside the Main Equipment Center resulted in severe internal arcing and short-circuits which melted the contactor casings.

— The open base of the P200 power panel allowed molten droplets from the failed contactors to drop down onto the insulation blankets and ignite them.

— The aircraft’s electrical protection system was not designed to detect and rapidly remove power from a contactor suffering from severe internal arcing and short-circuits.

— The contactors had internal design features that probably contributed to the uncontained failures.

The passengers were debarked by a mobile step way, as the airplane was taxiing to its takeoff position at the time of the electrical fire. The B787 incident was obviously more serious, as the occupants got off the plane via the evacuation slides. This recourse suggests that there wasn’t time to haul a mobile stairway up to the plane for a more deliberate debarkation.

As in this B777 event, the B787 reportedly suffered from a spreading insulation blanket fire.

Now consider the three requirements for a fire: oxygen, an ignition source and fuel.

In the B777 emergency at Heathrow, and the B787 emergency landing at Laredo, TX, electrical arcing provided the ignition source and the insulation blankets provided the FUEL for the fire.

From 2000 to 2008, the FAA issued more than 20 airworthiness directives (ADs) directing the removal of insulation blankets that burn. From 1988 to 2010, at least eight FAA Technical Center reports and two FAA Safety Conference Papers were issued that addressed electrically induced fires or the insulation blankets that give fuel to the fire.

— Fire safety problems and improvements are in various stages of correction and study.

— It is impossible to predict the relative risk of serious fires occurring in hidden areas or locations.

The expression “various stages of correction” can mean anything, and the term “study” reveals the lack of a sense of urgency. Thus, the B787 crew had an urgent reason to land, and an urgent reason to evacuate the airplane as rapidly as possible, but the issues of electrical fire and flammable insulation blankets remain under “study” by the FAA – with no deadline for resolution.

After its investigation of the 1998 in-flight fire that downed Swissair flight 111, the Canadian Transportation Safety Board (TSB) said airliners ought not be designed and built with flammable components. If there is nothing to burn, the danger of electrical arcing igniting anything is hugely reduced. This TSB recommendation has obviously not been taken to heart. The B787 Dreamliner is a post-Swissair flight 111 design, yet flammable materials are still used in building new airliners.

Instead of this “strategic” approach, which implies a tightening of the certification standards for airplanes like the B787, the FAA remains stuck in the “tactical” mode, which is to say not much has changed. ADs are issued with overly generous compliance times in years. One of the latest ADs illustrates the FAA’s “slackadaisical” approach. AD 2008-23-09 requires flammable AN-26 insulation blankets to be replaced on a raft of Boeing designs, from the B727 to the B747. The rationale for the AD is given as:

“This AD results from reports of in-flight and ground fires on certain airplanes manufactured with insulation blankets covered with AN-26, which may contribute to the spread of a fire when ignition occurs from sources such as electrical arcing or sparking.”

The AD was issued in November 2008 and operators have 96 months to comply.

Actually, the AD is more accommodating to the industry than hinted at by this summary. The industry had ample notice that the AD was coming. From the time the Notice of Proposed Rulemaking (NPRM) was published in April of 2004, to the “comply-by date” of December 2014, the industry had fully 19 years and 8 months to work with, and nibble at the requirements to reduce the airplanes affected. This is seen in the “Cost of Compliance” section of the AD:

“The number of airplanes is reduced from those in the NPRM because of airplane retirements or changes from U.S. to foreign operation. A substantial decrease in estimated cost results from the net change of increasing parts and labor cost, but reduced number of airplanes, and a changed assumption of service for the entire fleet.

“All passenger airplanes in the AD fleet will reach 25 years of passenger service at most three years prior to the end of the compliance period, at which time we assume they will be converted into cargo service [which is 40% cheaper].”

If an airplane is sold into foreign operation, the provisions of the AD can be ignored. In other words, let foreigners be exposed to risks passengers will (belatedly) not be exposed to here in the U.S. Allowing eight years for the work on U.S. registered airplanes allows for much less cost than, say, a four year deadline.

The AD is typical. A model-by-model approach, over years to minimize the cost, while the root problem cited by the TSB of Canada goes unaddressed: the very materials used across many manufacturers and model applications.

A strict ban on flammable materials, as recommended by the TSB, should have been applied starting with the new B787. It wasn’t, and the emergency evacuation resulted.

This airplane is going to be in service for the next 40 years. Instead of future item-by-item corrective ADs, the vulnerability of the aircraft to in-flight fire should be designed out now.

Congressman John Mica (R-FL) is a master at avoiding obvious issues. Mica stands poised to inherit the chairmanship of the Transportation and Infrastructure Committee. He’s been the ranking member under Chairman James Oberstar (D-MN), who failed re-election.

Mica was quick to issue a press release regarding the next, 112th Congress, which said in part:

“If selected by my peers to chair the Transportation and Infrastructure Committee in the next Congress … Among my top legislative priorities will be passing … a long-overdue Federal Aviation Administration reauthorization (and) better management and utilization of federal assets.”

Rep. John Mica (R-FL)

Of course, adequately funding the FAA is essential – it has to be kept open to conduct business, and “better management” is always a laudable goal.

Now let’s get down to particulars –

The Government Accountability Office (GAO) released a report in late October on aircraft certification within the FAA whose title reveals how substantially deficient the GAO review was substantively: “Aviation Safety: Certification and Approval Processes Are Generally Viewed as Working Well …”

In a 29 October press release, Mica said:

“The FAA must address the inconsistencies and eliminate the costly confusion and delays in its certification process. I am concerned FAA bureaucrats are making U.S. aviation less competitive, and that if the problems are not quickly resolved, NextGen [the Next Generation air traffic control system] will be negatively impacted.”

Let’s see how “FAA bureaucrats” are gumming up the works on certification. The Eclipse EA-500 twinjet is an excellent example. Based on revelations that unfolded at an Aviation Subcommittee hearing in September 2008, the FAA clearly accommodated the wishes of an upstart manufacturer by granting all that it asked for and by ignoring shortcomings in design and by shelving critical safety issues to be solved at a later date. The FAA accepted “IOUs” from Eclipse that avionics software would meet the accepted industry standard – after certification.

Mid-level FAA witnesses from offices in Ft. Worth and San Antonio at the hearing testified that this type of certification was rushed and that the production certificate was issued before Eclipse could demonstrate an ability to replicate the design in mass production.

These local FAA officials were followed at the hearing by a table full of senior Washington-based FAA officials. They defended their actions overruling the local FAA offices by stating, basically, that the locals just were not thinking “outside the box” to approve the EA-500 design and its manufacturing. (See Aviation Safety Journal, September 2008, “Airplane Certified by FAA Despite Concerns”)

As Chairman Oberstar opined at the time:

“There is a disturbing suggestion that there was another ‘cozy relationship’ and reduced level of vigilance on the FAA’s part.”

Eclipse has since gone bankrupt; however, this a very inefficient way to protect the flying public, and there is no question top FAA officials, instead of supporting their subordinates’ legitimate objections, went out of their way to roughshod the regulations and accommodate Eclipse.

We see the same action taken in airliner certification. The FAA issues “special conditions” when no regulations, or outmoded rules, exist to approve new designs, such as Boeing’s all-composite B787. The FAA would do better keeping its regulations current with the march of technology, and holding manufacturers accountable.

We see the FAA accommodating the industry with a move to have its inspectors look more at paperwork than actual airplanes.

We see this accommodating attitude in the FAA allowing critical safety programs to be optional, like Flight Operations Quality Assurance (FOQA) to analyze deviations from accepted norms.

We see the FAA accommodating the airline industry by issuing a proposed rule on pilot fatigue which ignores the problem of aircrews commuting hundreds of miles to their base stations. (See Aviation Safety Journal, “Rules Proposed on Pilot Rest Requirements”)